How the NSA (accidentally) took Syria off the internet

In late 2012, as fighting intensified around Damascus, all internet services in and out of Syria suddenly shut down.

At the time, human rights groups and security firms pointed fingers at the Assad government, claiming that it appeared the regime had deliberately cut off communications to prevent the outside world from seeing what was happening in the country.

Technology firm Cloudflare published a detailed blog post, entitled “How Syria turned off the internet”, in an attempt to explain the outage and debunk claims by Syrian authorities that it was the result of a technical failure:

“While we cannot know for sure, our network team estimates that Syria likely has a small number of edge routers. All the edge routers are controlled by Syrian Telecommunications. The systematic way in which routes were withdrawn suggests that this was done through updates in router configurations, not through a physical failure or cable cut.”

And, to be fair, it seemed quite reasonable to assume that Syria was responsible for the internet blackout.

But now, in an interview with Wired, whistleblower Edward Snowden presented a different opinion: that the Syrian internet shutdown was the result of an NSA hack that went wrong:

One day an intelligence officer told him that TAO — a division of NSA hackers — had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead — rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

So, yes, it appears that Cloudflare could have been right back in 2012 when they attributed the issue to a problematical router update. It was just that the update was being done by NSA hackers, rather than the Syrians.

Whether the NSA’s alleged attack against the Syrian router would have been enough to knock the entire country off the internet is unclear. Ars Technica speculates that Syrian telecoms chiefs might have decided to withdraw Syrian networks from internet routing tables as a precautionary measure, while it investigated what had happened to its router.

But one thing is clear. If you’re trying to hack and spy on someone the very last thing you want to do is draw attention to yourself by breaking the very device you are attempting to infiltrate.

Is Snowden telling the truth? It’s hard to say. It’s not as though the NSA is ever likely to willingly admit to any hacking it was doing against another country, and the Syrian authorities have probably got more pressing matters to worry about than an internet problem from two years ago.

But it does underline a central problem with governments and their intelligence agencies engaging in internet surveillance and snooping against their adversaries. As well as the legal and ethical debates concerning such behaviour, sometimes things can go badly wrong. A team at the NSA or GCHQ are just as human as the rest of us – and just as capable of goofing up, and making a mistake.

And those mistakes, made in the heat of rising political tension or military activity, could one day be much more costly than a few days of lost internet access.

About The Author

Security analyst

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.
Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.